Late last year, a nefarious banking app was discovered on the Android phone marketplace. This, I'm afraid, is just the beginning.
Doing some Android phone development recently, I have gotten some hands-on experience with how an application is deployed to the Android Marketplace. One big difference between the Google and Apple mobile software stores is that Apple vets and approves each app before it is made available for public download. With Android, anyone who pays the $25 registration can upload an application to the marketplace.
To upload an application, it first must be signed with your own digital signature. This signature need not be certified--you can create one yourself and it is just as valid as one issued by Verisign. Signing your application is the only security requirement that must be met before uploading to the marketplace. The information your submit to create your Android developer account is also not reviewed or verified.
If your application is free, then anyone with a compatible Android phone can begin downloading and using it. If the application needs to connect to the internet, then during the installation the user is notified "This application has access to the following: Network communication, full Internet access," to which the user clicks OK to proceed with the install.
There are no alerts about the digital signature coming from untrusted or unknown source. All applications are implicitly trusted. My Android phone has 800 Mhz processor with 256MB RAM, a worth addition to any botnet.
The current protections for mobile applications remind me of web sites in the mid to late 90s when e-commerce was just starting to get off the ground and viruses and botnets weren't daily news (and desktop PCs didn't have the same power that we now carry in our pocket.) People just trusted anything they clicked, and bad guys realized this and quickly developed ways to exploit this blind trust. Now that cyber crime has become much more savvy and organized, they working feverishly to exploit this new mobile vector.
I know mobile apps still have that wow factor, but we have to learn from the past and treat all Internet enabled devices as attractive targets for attack today. These mobile OSes need to have the same protections we apply to desktop PCs. We should not continue blindly assuming that the focus of attack is the desktop PC and not mobile devices, even though they all have similar hardware specs and are connected to the same Internet. Otherwise, this is security by obscurity, which does little else but to give us a false sense of security.